Why security pros are addicted to FUD and what you can do about it

Despite professing anti-FUD rhetoric, cyber experts fan the flames, breathlessly sharing the details of the latest data breaches. It's a risky addiction that can lead to security apathy in enterprises. Here's how to harness it.

Despite my best efforts to stay positive about cybersecurity and keep clear of that dangerous, addictive substance, bad news FUD is still winning me over.

But…. I’m not the only one, there are plenty of us that are tempted by FUD. In fact, it is my opinion that, despite professing anti-FUD rhetoric, the vast majority of cyber experts have the exact same problem – even if they don’t know it. Allow me to explain.

But like a hungry boy drawn by the smell of freshly baked chocolate-chip cookies on the kitchen table, I’m hopelessly attracted to the juicy details behind big banks being hacked, credit agency employees falling for phishing scams, ransomware bringing down governments, cyber pirates hacking ships, the latest zero-day malware that defeats Microsoft or Google or Apple, big tech companies making stupid online mistakes, cars stolen by hackers' radio transmitters, NSA employees and contractors turning to the dark side and more and more and more.

Yes – my enquiring mind wants to know. …

I get excited when a major new data breach hits the top headline of the Wall Street Journal, New York Times, USA Today or the Washington Post. I often see big hacks and other huge cyber problems as opportunities – not societal ills.

When the Target, Equifax, OPM, Yahoo and other data breaches were announced, I devoured the details, surfing the cyberspace for the “rest of the story,” hidden secrets, and expert commentary. I share my views on LinkedIn, tweet about various aspects and angles of the security problems, argue with simple fixes and explain how the story fits into historical context.

I write about cyber incidents, hacking trends, breach predictions, new technologies like IoT — and try to connect the never-ending security ramification dots. When bad news surfaces, I ask: What does it all mean? What’s next?

I add the best articles to a database of stories regarding vulnerabilities, malware causes, hackers, ransomware, dumb mistakes, best practices and more. I go to data breach “tell all details” sessions at security conferences.

But before you laugh and say “been there, done that, got the T-shirt,” I have a challenge for you. Do a little soul searching. Are your prone to this too? Really?

I think the majority of security pros and hackers that I know act in a similar way – even if they consider themselves security “enablers.”

So how did I learn about this hard reality and come back to relook at FUD – again, right now?

Back in February, I was at a Super Bowl party, where I saw a friend that I typically talk to a few times a year in Michigan. He came right up to me and said (in a melancholy tone), “Dan, I see your posts on LinkedIn all the time. I love your writing, but I can’t read them anymore.”

“Why?” I slowly responded.

“I just get too depressed reading about all that negative security news. It’s all problems, hacks, breaches, lawsuits, privacy violations, and worse. No good news. But things can’t be that bad – since technology is booming.”

(Side note: At this point someone interrupted us with a game update of a touchdown for one team, and we never finished the conversation.)

That exchange stuck in my mind for months – leading to this article.

I started asking myself questions: Is FUD in my DNA? Why do I keep going back to these stories?

I analyzed my LinkedIn posts, Tweets and other online activities. My weekly blogs were varied, well-rounded and offered cybersolutions, so that didn’t seem to be the top concern.

But I did notice a more negative trend with my tweets and LinkedIn posts, likes and comments. I did tend to send out multiple posts when a big data breach story broke. These posts received the most attention, likes, comments, responses and dialogue.

And it wasn’t just me. Analyzing Brian Krebs and several other well-known security bloggers, I saw even more data breach focus. I wondered if endless descriptions regarding these stories – and even breaking the news of new data breaches – hadn’t become a part of how our cyber industry survives and thrives. Don’t people have a right to know? Don’t they have a need to know?

Diagnosis: Why is FUD so addicting?

After pondering FUD further, I diagnosed why these negative stories are so popular. Here are a few reasons for FUD growth:

Viral attention

Easy to talk about – everyone is doing it

Front and center – hard data – facts are facts

Gets a lot of easy attention in social media (likes, comments, more connections)

Need to understand problems (i.e., think like a hacker) to understand how to build solutions

Solutions often don’t work well or only work for a moment in time

Bad actors can go around solutions almost like a roadblock

Solutions can make you vulnerable to counterattacks

Stay illusive. Don’t get pinned down

Viral attention (yes, it's bears repeating)

Living with FUD

While I am convinced that the FUD addiction will be with us for the rest of my life, I also believe that FUD does have role to play in the industry. Here are a few ideas that can help harness the power of FUD:

Be aware – Understand your own actions and the natural security pro tendency to “share the FUD” as described above.

Offer cyber solutions – Even when you do share FUD, don’t leave people hanging. Even one cyber hygiene tip (or two) can help. What could have been done to prevent the issue? Use more thoughtful answers when possible.

Make FUD an appetizer, not the main course. When using FUD in conversations, presentations or as examples, don’t make it the main topic. Provide a balanced cyber diet.

Final thought: As this blogger points out, the opposite of FUD is often security apathy. Passionate security pros can struggle when others neglect, ignore or dismiss cyber risks as not being relevant or worth addressing in the enterprise. In those cases, FUD is many times used to defeat the naysayers.

But FUD becomes a serious long-term concern when overused. The Chicken Little, yelling FUD too often can burn people out.

This “FUD / apathy pendulum” can swing back and forth while pragmatic business people look for a reasonable middle ground. One helpful goal is to become (or maintain the role as) the trusted advisor who, even if you are addicted to FUD, offers your business best practice solutions that can help reduce cyber risk in reasonable ways — without hype.